Optus Data Breach a Wake-up Call

NSWCCL has long called for stronger legislation in relation to the collection, use and retention of the personal information of Australians. We welcome the comments of the Attorney General Mark Dreyfus, referring to the Optus data breach, that every corporation should only be collecting the minimum amount of data necessary for the relevant purpose.[1]

Mr Dreyfus said he had not heard a sufficient reason as to why companies were retaining the amount of personal data they currently were, and that Optus had failed to keep user information safe.

"This is a wake-up call for corporate Australia," he said.

Telecommunications provider Optus advised this week that approximately 10 million current and former customers' data was stolen in a cyber-attack. Stolen data included names; birthdates; home addresses; phone and email contacts; passports and driving licence numbers.[2] 

The breach poses a significant risk of identity theft and fraud for those millions of customers affected. Serious questions need to be asked as to why information on former customers was retained at all and why information was retained that no longer served its original purpose (for example, identifying an individual for the purpose of only opening an account).

The Attorney general also stated "I may be bringing reforms to the Privacy Act before the end of the year to try and toughen penalties and make companies think hard about why they are storing the personal data of Australians."

Not before time, considering the OAIC decision in July 2021 that Uber failed to appropriately protect the personal data of Australian customers and drivers, which was accessed in a cyber-attack in October and November 2016.[3]

The Privacy Act 1988 is currently undergoing review. The Act was originally drafted in an environment that did not envisage the changes to the collection of information in the digital age and emphasised business considerations over the individual's personal information and right to privacy. NSWCCL strongly urges the completion of the Act’s review as a matter of urgency.

While Optus, and others, scramble for technological solutions and safeguards, NSWCCL contends that the solution lies in the enforcement of the key privacy principles of purpose, data and storage limitation and data destruction.  These principles, the requirement to notify individuals who are harmed by the eligible data breach and penalties for breaches, must be strengthened.

 

[1] ABC Insiders program 2 October 2022

[2] Turnbull, T (30 September 2022) Optus: How a massive data breach has exposed Australia
BBC News, Sydney https://www.bbc.com/news/world-australia-63056838

[3] For more, see the OAIC's media statement dated 23 July 2021: Uber found to have interfered with privacy https://www.oaic.gov.au/updates/news-and-media/uber-found-to-have-interfered-with-privacy